使用 AWS Lambda 仅使用角色访问 S3
Use AWS Lambda to access S3 using only Roles
我有一个用 Java 编写的 Lambda 函数,我希望它访问 S3 (putObject)。
我不想在我的 Lambda 函数中使用或存储凭据来访问 S3。相反,我想使用 IAM 角色。
如何在我的 java 代码(即 Lambda 的 运行)中编写不需要任何凭据并假设 Lambda 具有适当角色的 AWS S3 客户端?
您不需要在 lambda 函数中存储凭据。所有具有角色的函数 运行 - 您在创建函数时设置的角色。由于 lambda 函数有一个角色,您可以根据需要从这个角色中添加或删除权限,而无需更改函数本身
Manage Permissions: Using an IAM Role (Execution Role)
Each Lambda function has an IAM role (execution role) associated with
it. You specify the IAM role when you create your Lambda function.
Permissions you grant to this role determine what AWS Lambda can do
when it assumes the role. There are two types of permissions that you
grant to the IAM role:
If your Lambda function code accesses other AWS resources, such as to
read an object from an S3 bucket or write logs to CloudWatch Logs, you
need to grant permissions for relevant Amazon S3 and CloudWatch
actions to the role. If the event source is stream-based (Amazon
Kinesis Streams and DynamoDB streams), AWS Lambda polls these streams
on your behalf. AWS Lambda needs permissions to poll the stream and
read new records on the stream so you need to grant the relevant
permissions to this role.
http://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html
我有一个用 Java 编写的 Lambda 函数,我希望它访问 S3 (putObject)。
我不想在我的 Lambda 函数中使用或存储凭据来访问 S3。相反,我想使用 IAM 角色。
如何在我的 java 代码(即 Lambda 的 运行)中编写不需要任何凭据并假设 Lambda 具有适当角色的 AWS S3 客户端?
您不需要在 lambda 函数中存储凭据。所有具有角色的函数 运行 - 您在创建函数时设置的角色。由于 lambda 函数有一个角色,您可以根据需要从这个角色中添加或删除权限,而无需更改函数本身
Manage Permissions: Using an IAM Role (Execution Role)
Each Lambda function has an IAM role (execution role) associated with it. You specify the IAM role when you create your Lambda function. Permissions you grant to this role determine what AWS Lambda can do when it assumes the role. There are two types of permissions that you grant to the IAM role:
If your Lambda function code accesses other AWS resources, such as to read an object from an S3 bucket or write logs to CloudWatch Logs, you need to grant permissions for relevant Amazon S3 and CloudWatch actions to the role. If the event source is stream-based (Amazon Kinesis Streams and DynamoDB streams), AWS Lambda polls these streams on your behalf. AWS Lambda needs permissions to poll the stream and read new records on the stream so you need to grant the relevant permissions to this role.
http://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html